For real data privacy, transparency and encryption are our best hopes

Privacy, Security

With Net Neutrality close to becoming a reality in the United States, Europe’s telecom companies appear ready to fight for consumers’ trust.

At the Mobile World Congress in Barcelona this week, Telefonica CEO Cesar Alierta called for strict rules that will foster “digital confidence”. Vodafone CEO Vittorio Colao’s keynote highlighted the need for both privacy and security. Deutsche Telekom’s Tim Höttges was in agreement, noting that “data privacy is super-critical”.

“80% [of consumers] are concerned about data security and privacy, but they are always clicking ‘I accept [the terms and conditions], I accept, I accept’ without reading them,” said Höttges, echoing a reality we found when conducting an experiment that — in the fine print — asked people to give up their first born child in exchange for free Wi-Fi.

The fight for consumers’ digital freedom is close to our hearts at F-Secure and we agree that strong rules about data breach disclosure are essential to regaining consumers trust. However, we worry that anything that limits freedom in name of privacy must be avoided.

Telenor CEO and GSMA chairman, Fredrik Baksaas noted the very real problem that consumers face managing multiple online identities with multiple passwords. He suggested tying digital identity to SIM cards. This dream of a single identity may seem liberating on a practical level. But beyond recently exposed problems with SIM security, a chained identity could disrupt some of the key benefits of online life — the right to define your identity, the liberty to separate work life from home life, the ability to participate in communities with an alternate persona.

GMSA is behind a single authentication system adopted by more than a dozen operators that is tied to phones, which could simplify life for many users. But it will likely not quench desires to have multiple email accounts or identities on a site nor completely solve the conundrum of digital identity.

The biggest problem is that so many of us aren’t aware of what we’ve already given up.

The old saying goes, “If it’s free, you’re the product”.  This was a comfortable model for generations who grew up trading free content in exchange for watching or listening to advertisements. But now the ads are watching us back.

F-Secure Labs has found that more than half of the most popular URLs in the world aren’t accessed directly by users. They’s accessed automatically when you visit the sites we intend to visit and used to track our activity.

Conventional terms and conditions are legal formalities that offer no benefits to users. As our Mikko Hypponen often says, the biggest lie on the Internet is “I have read and agreed with terms and conditions.” This will have to change for any hope of a world where privacy is respected.

In the advanced world, store-bought food is mandated to have its nutritional information printed on the packaging. We don’t typically read — nor understand — all the ingredients. But we get a snapshot of what effect it will have on us physically.

How about something like this for privacy that informs us how data is treated by a particular site or application.

What data is captured?

Is is just on this site or does it follow you around the web?

How long is stored?

Whom is it shared with?

Key questions, simply answered — all with the purpose of making it clear that your privacy has value.

Along with this increased transparency, operators and everyone who cares about digital rights must pay close attention to the effort to ban or limit encryption in the name of public safety. The right of law-abiding citizens to cloak their online activity is central to democracy. And all the privacy innovations in the world won’t matter if we cannot expect that right to exist.

We are entering an era where consumers will have more reasons, need and opportunities to connect than ever before. The services that offer us the chance to be more than a product will be the ones that thrive.

UPDATE: Micke reminds me to point out that F-Secure has already taken steps towards simple, clean disclosure with documents like this Data Transfer Declaration.

0 Comments

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

You might also like